XCP

XCP stands for Extended Copy Protection.

XCP was developed by UK-based First4Internet, a company founded in 1999 that specializes in Content Protection, Digital Asset Management and Image Content Filtering solutions. It is a Digital Rights Management (DRM) title for audio compact discs to prevent ripping (copying) of the audio tracks. It is only affective on the Microsoft Windows XP operating system.

The "Sony Rootkit DRM"

XCP has been widely known as the Sony Rootkit since November, 2005. Researcher Mark Russinovich had an encounter with a Sony BMG CD that contained the DRM software. When he investigated the installation he discovered that it uses the same techniques as "rootkits" to mask itself. He then posted on his blog saying that Sony had gone too far with this copy protection.

"Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall." - Mark Russinovich

Russinovich pointed out that nowhere in the license agreement before installation does it mention that the software cannot be uninstalled from the Operating System. If you remove it, your CD drive could be rendered inoperable and the only way to fix it is reformat the disk and reinstalled the Windows Operating System.

"There would be no problem if there's a big screen coming up saying as part of the anti-piracy measures this CD will amend your operating system. What we are scared of is when we find a new virus written by someone that relies on the fact that this [XCP] software is running on tens of thousands of computers around the world, the rootkit would hide that virus from pretty much any anti-virus program out there." - Mikko Hypponen (CEO, F-Secure)

Mathew Gilliat-Smith, chief executive of First4Internet defended XCP saying that there was no evidence that viruses were being written that took advantage of XCP's file hiding techniques. He also claimed that consumers were properly warned about the copy protection as it is clearly written on the CD.

President of Sony BMG's global digital business division Thomas Hesse, defended the company from criticism saying "Most people, I think, don't even know what a rootkit is, so why should they care about it?". In early November a trojan was discovered in an email attachment that attempted to exploit the DRM to hide a file, $sys$drv.exe. This file was identified as a "bot program" that was designed to connect to an Internet Relay Chat network. The attacker would have complete control over the computer. The email that carried this trojan attempted to look like a legitimate email from a British magazine.

"Hello, Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here." (email body)

In mid-November, Sony BMG announced that it was to cease production of XCP protected CDs as a "precautionary measure". The company then also issued a recall and offered a swap to consumers who had already purchased a CD. 52 CDs in total were protected by XCP. Thomas Hesse also made an apology on behalf of Sony BMG.

"We're very, very sorry for the disruption and inconvenience that this has caused to music consumers" - Thomas Hesse

How does XCP work?

When a user inserts a CD containing XCP (or XCP-Aurora, as it is marketed as), they are met with a license agreement to install the Digital Rights Management (DRM) software. When it is installed, it uses a rootkit to hide itself. The filenames all begin with $sys$ and the software will mask these files. It then intercepts low level Windows system calls. It alters the Windows registry so that the Windows CD driver does not operate. All accesses to the CD drive from "unauthorized" media players or CD rippers receive
altered data when trying to play or rip the audio tracks. The filter driver that is installed inserts random Noise into the returned data to all process except the media player that is included with XCP's installation.

Since it is Windows XP based DRM, it is not effective on a Mac or Linux. However, some of the discs infected contain SunnComm's MediaMax which attempts to install a Kernel in the Mac OS X operating system. If this isn't present, ripping is still possible.

The XCP-infected music CDs distributed by Sony BMG rely (like many DRM titles) on the discs being multi-session. This is why XCP and other DRM packages do not affect stand-alone CD players. This is seen as a weakness however, as applying something to the disc to block the data track makes it unreadable to a CD drive. This means that, if done properly, Windows XP would only see the audio tracks and you could use it like you could use any DRM-less CD.

Sony's rootkit uninstaller / patch

Sony began offering an uninstaller for the rootkit part of XCP, which means that files and processes would be completely visible to users. However, Mark Russinovich, pointed out some privacy concerns with the uninstaller. A user is required to fill out a form, including email address and other information using only Microsoft Internet Explorer. An email is then sent to the user's account, where they will be re-directed to a second form to fill out before receiving a link to the uninstaller (which only works once). The problem is that the privacy policy states that the information you provided may be provided to third parties who may wish to contact you directly.

If privacy concerns weren't enough, serious security issues were reported with the patch. The uninstaller attempts to install an ActiveX control which is marked as "Safe for scripting". Any webpage can now utilise the control and its methods, which is dangerous as an attacker could now download and execute arbitrary code. Experts say that this security hole is even more serious then XCP itself.

Legal issues

This whole situation is surrounded with legal problems. Firstly, anti-spyware and privacy laws may have been broken by Sony BMG and First4Internet, depending on territory. One researcher, Sebastian Porst, claims also that XCP is in violation of the Lesser General Public License (LGPL) due to similarities between XCP and functions in the LAME media encoding library. See this article. But not all legal issues surrounding this issue are around Sony BMG and First4Internet.

Even though XCP has been labeled by experts and anti-virus software companies as malicious spyware, users who either use something to block the data track on the CD to block out XCP completely or somehow uninstall XCP could be in violation of anti-circumvention laws including the Digital Millennium Copyright Act (DMCA) in the United States.

Lawsuits

Several lawsuits have been filed against Sony BMG, including those filed by the states of Texas, California and New York in the U.S. and Italy. The list is expected to grow rapidly.

"Sony has engaged in a technological cloak and dagger deceit against consumers by hiding secret files on their computers," - Greg Abbott, Texas attorney-general.

CDs that contain XCP

Here is a list of the CDs that contain XCP copy protection. In the brackets is the Item Number, which can be read off the spine of the CD.

A Static Lullaby - Faso Latido (CK92772)

Acceptance – Phantoms (CK89016)

Amerie – Touch (CK90763)

Art Blakey - Drum Suit (CK93637)

The Bad Plus - Suspicious Activity? (CK94740)

Bette Midler - Sings the Peggy Lee Songbook - (CK95107 & CK74815)

Billie Holiday - The Great American Songbook (CK94294)

Bob Brookmeyer - Bob Brookmeyer & Friends (CK94292)

Buddy Jewell - Times Like These (CK92873)

Burt Bacharach - At This Time (CK97734)

Celine Dion - On Ne Change Pas (E2K97736)

Chayanne – Cautivo (LAK96819 & LAK96818 & LAK95886)

Chris Botti - To Love Again (CK94823)

The Coral - The Invisible Invasion (CK94747)

Cyndi Lauper - The Body Acoustic (EK94569)

The Dead 60's - The Dead 60's (EK94453)

Deniece Williams - This Is Niecy (CK93814)

Dextor Gordon - Manhattan Symphonie (CK93581)

Dion - The Essential Dion (CK92670)

Earl Scruggs - I Saw The Light With Some Help From My Friends (CK92793)

Elkland – Golden (CK92036)

Emma Roberts - Unfabulous And More: Emma Roberts (CK93950 & CK97684)

Flatt & Scruggs - Foggy Mountain Jamboree (CK92801)

Frank Sinatra - The Great American Songbook (CK94291)

G3 - Live In Tokyo (E2K97685)

George Jones - My Very Special Guests (E2K92562)

Gerry Mulligan – Jeru (CK65498)

Horace Silver - Silver's Blue (CK93856)

Jane Monheit - The Season (EK97721)

Jon Randall - Walking Among The Living (EK92083)

Life Of Agony - Broken Valley (EK93515)

Louis Armstrong - The Great American Songbook (CK94295)

Mary Mary - Mary Mary (CK94812 & CK92948)

Montgomery Gentry - Something To Be Proud Of: The Best of 1999-2005 (CK75324 & CK94982)